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izSEC link analysis session: VisFlowConnect: netflow visualizations of link re 
for security situational awareness 

Xiaoxin Yin, William Yurcik, Michael Treaster, Yifan Li, Kiran Lakkaraju 
Oc tober 2004 Proceedings of the 2004 ACM workshop on Visualization and d< 
for computer security 

Additional Information: full citation , abstract , reference 

terms 




Full text available: ^ pdfd .51 MB) 



We present a visualization design to enhance the ability of an administrator to dete 
investigate anomalous traffic between a local network and external domains. Centr 
design is a parallel axes view which displays NetFlow records as links between two 
or domains while employing a variety of visual cues to assist the user. We describe 
filtering options that can be employed to hide uninteresting or innocuous traffic sue 
user can focus his or her attention ... 

Keywords: link analysis, link relationships, netflows, parallel axes, parallel coordir 
security, security visualization, situational awareness 



2 VizSEC state analysis session: NVisionIP: netflow visualizations of system sta 

security situational awareness 

Kiran Lakkaraju, William Yurcik, Adam J. Lee 

October2004- Proceedings of the 2004 ACM workshop on Visualization and d< 
for computer security 

Full text available:^ pdf(693.53 Additional Information: full citation , abstract , reference 
KB) terms 

The number of attacks against large computer systems is currently growing at a ra 
Despite the best efforts of security analysts, large organizations are having trouble 
top of the current state of their networks. In this paper, we describe a tool called N 
that is designed to increase the security analysts situational awareness. As human 
inherently visual beings, NVisionIP uses a graphical representation of a class-B net 
allow analysts to quickly visuali ... 
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Keywords: NetFlows, security system state, security visualization, situational awa 



3 Building a better NetFlow 

^ristian Estan, Ken Keys, David Moore, George Varghese 
"August 2004 ACM SIGCOMM Computer Communication Review , Proceedings 

— 2004 conference on Applications, technologies, architectures, ai 

protocols for computer communications, Volume 34 Issue 4 
Full text available: t§ pdf(256.44 Additional Information: full citation , abstract , reference 
KB) index terms 

Network operators need to determine the composition of the traffic mix on links wh 
for dominant applications, users, or estimating traffic matrices. Cisco's NetFlow has 
into a solution that satisfies this need by reporting flow records that summarize a s 
the traffic traversing the link. But sampled NetFlow has shortcomings that hinder tl 
and analysis of traffic data. First, during flooding attacks router memory and netwc 
bandwidth consumed by flow records ... 

Keywords: data summarization, network monitoring, traffic measurement 



4 Algorithms: Bitmap algorithms for counting active flows on high speed links 
Cristian Estan, George Varghese, Mike Fisk 

O ctoberjOO i Proceedings of the 3rd ACM SIGCOMM conference on Internet 
^ v measurement 

Full text available: IS pdf(330.81 Additional Information: full citation , abstract , reference 
KB) index terms 

This paper presents a family of bitmap algorithms that address the problem of cour 
number of distinct header patterns (flows) seen on a high speed link. Such countin 
used to detect DoS attacks and port scans, and to solve measurement problems. C 
especially hard when processing must be done within a packet arrival time (8 nsec 
speeds) and, hence, must require only a small number of accesses to limited, fast t 
naive solution that maintains a hash table r ... 



Keywords: counting flows, network traffic measurement 



5 Measurement tools: Packet trace manipulation rramework for test labs 
Andy Rupp, Holger Dreger, Anja Feldmann, Robin Sommer 

October 2004 Proceedings of the 4th ACM SIGCOMM conference on Internet 
^ ^ — . measurement 

Full text available: 1§ pdf( 164.63 Additional Information: full citation , abstract , reference 
KB) terms 

Evaluating network components such as network intrusion detection systems, firev\ 
routers, or switches suffers from the lack of available network traffic traces that on 
hand are appropriate for a specific test environment but on the other hand have th 
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characteristics as actual traffic. Instead of just capturing traffic and replaying the ti 
identify a set of packet trace manipulation operations that enable us to generate a 
bottom-up: our trace primitives can be t ... 

Keywords: evaluation, measurement, network, network intrusion detection, trace 



6 Computer security (SEC): Towards multisensor data fusion for DoS detection 
Vjjhristos Siaterlis, Basil Maglaris 

^March^ Proceedings of the 2004 ACM symposium on Applied computing 

Full text available: Q pdf(276. 26 Additional Information: full citation , abstract , reference 
KB) terms 

In our present work we introduce the use of data fusion in the field of DoS anomah 
We present Dempster-Shafer's Theory of Evidence (D-S) as the mathematical foun 
the development of a novel DoS detection engine. Based on a data fusion paradign 
combine multiple evidence generated from simple heuristics to feed our D-S inferei 
and attempt to detect flooding attacks. Our approach has as its main advantages th 
power of Theory of Evidence in expressing belie ... 

Keywords: Denial of Service, anomaly detection, data fusion 



Late breaking results: posters: A user-centered approach to visualizing networ 
intrusion detection 

John R. Goodall, A. Ant Ozok, Wayne G. Lutters, Penny Rheingans, Anita Komlodi 
April 2005 CHI '05 extended abstracts on Human factors in computing systen 

Full text available: 1§ pdf(420. 66 Additional Information: full citation , abstract , reference 
KB) terms 

Intrusion detection (ID) analysts are charged with ensuring the safety and integrity 
high-speed computer networks. Their work includes the complex task of searching 
indications of attacks and misuse in vast amounts of network data. Although there 
information visualization tools to support ID, few are grounded in a thorough undei 
the work ID analysts perform or include any empirical evaluation. We present a us< 
visualization based on our understand! ... 

Keywords: information visualization, intrusion detection, network security, usabili 
user-centered design 



8 yassive measurements: Characteristics of network traffic flow anomalies 
aul Barford, David Plonka 

November 2001 Proceedings of the 1st ACM SIGCOMM Workshop on Internet 
Measurement 



Full text available- glDdf(2.94 MB) Additional Information: fuldtation, references , cjtings 

— terms 
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Detection: Characterization of network-wide anomalies in traffic flows 
Qriukool Lakhina, Mark Crovella, Christiphe Diot 

October 2004 Proceedings of the 4th ACM SIGCOMM conference on Internet 
f -^measurement 

Full text available: IS pdfd 25.66 Additional Information: full citation , abstract , reference 
KB) terms 

Detecting and understanding anomalies in IP networks is an open and ill-defined pr 
Toward this end, we have recently proposed the subspace method for anomaly dia< 
this paper we present the first large-scale exploration of the power of the subspace 
when applied to flow traffic. An important aspect of this approach is that it fuses in 
from flow measurements taken throughout a network. We apply the subspace metl 
different types of sampled flow traffic in ... 

Keywords: anomaly detection, network traffic analysis 



10 Session 5: P2P and streaming: Analyzing peer-to-peer traffic across large netv 
Subhabrata Sen, Jia Wang 

November 2002 Proceedings of the 2nd ACM SIGCOMM Workshop on Internei 
_ measurment 

hi . ., ui « jx/h r C Additional Information: full citation , abstract , reference 
Full text available^ pdf(1-56 MB ) index terms 

The use of peer-to-peer (P2P) applications is growing dramaticaliy, particularly for 
large video/audio files and software. In this paper, we analyze P2P traffic by measi 
level information collected at multiple border routers across a large ISP network, ai 
our investigation of three popular P2P systems — FastTrack, Gnutella, and DirectCc 
characterize the P2P traffic observed at a single ISP and its impact on the underlyir 
We observe very skewed distrib ... 

1 1 Networks applications: Gigascope: high performance network monitoring with ; 
interface 

Chuck Cranor, Yuan Gao, Theodore Johnson, Vlaidslav Shkapenyuk, Oliver Spatschecl 
June 2002 Proceedings of the 2002 ACM SIGMOD international conference or 
_ Management of data 

Full text available: g pdf(1 08.27 Addjtjona | information: full citation , abstract , citings , jr 

Kb) 

Operators of large networks and providers of network services need to monitor anc 
the network traffic flowing through their systems. Monitoring requirements range fi 
long term (e.g., monitoring link utilizations, computing traffic matrices) to the ad-h 
detecting network intrusions, debugging performance problems). Many of the appli 
complex (e.g.,. reconstruct TCP/IP sessions), query layer- 7 data (find streaming m< 
onnections), operate over huge volumes of data ... 




12 Identification and classification: Online identification of hierarchical heavy hittei 
algorithms, evaluation, and applications 
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Yin Zhang, Sumeet Singh, Subhabrata Sen, Nick Duffield, Carsten Lund 
petaber^QQ4 Proceedings of the 4th ACM SIGCOMM conference on Internet 
^^measurement 

Full text available:^ pdf(273.81 Additional Information: full citation , abstract , reference 
KB) terms 

In traffic monitoring, accounting, and network anomaly detection, it is often import 
able to detect high-volume traffic clusters in near real-time. Such heavy-hitter trafl 
are often hierarchical (<i>ie</i>, they may occur at different aggregation levels lit* 
IP addresses) and possibly multidimensional (<i>ie</i>, they may involve the conr 
different IP header fields like IP addresses, port numbers, and protocol). Without p 
knowledge a ... 

Keywords: change detection, data stream computation, hierarchical heavy hitters 
anomaly detection, packet classification 



13 Detection: Reversible sketches for efficient and accurate change detection ove 
data streams 

Robert Schweller, Ashish Gupta, Elliot Parsons, Yan Chen 

October 2004 Proceedings of the 4th ACM SIGCOMM conference on Internet 
measurement 

Full text available: IS pdf(161 .14 Additional Information: full citation , abstract , reference 
KB) terms 

Traffic anomalies such as failures and attacks are increasing in frequency and seve 
thus identifying them rapidly and accurately is critical for large network operators, 
detection typically treats the traffic as a collection of flows and looks for heavy chai 
traffic patterns (<i>e.g.</i>, volume, number of connections). However, as link sp 
the number of flows increase, keeping per-flow state is not scalable. The recently p 
sketch-based schemes [14] ar ... 

Keywords: IP mangling, change detection, data stream computation, modular has 
network anomaly detection, reverse hashing, sketch 



14 Session 3: inference and statistical analysis: A signal analysis of network traffi< 
anomalies 

Paul Barford, Jeffery Kline, David Plonka, Amos Ron 

November 2002 Proceedings of the 2nd ACM SIGCOMM Workshop on Internei 
« - measurment 



r- it x ^ ., ui « co Kiin\ Additional Information: full citation , abstract , reference 
Full text available: S pdfd -52 MB) in dex terms 

Identifying anomalies rapidly and accurately is critical to the efficient operation of I 
computer networks. Accurately characterizing important classes of anomalies great 
their identification; however, the subtleties and complexities of anomalous traffic c 
confound this process. In this paper we report results of signal analysis of four clas 
network traffic anomalies: outages, flash crowds, attacks and measurement failure 
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this study consists of IP flow ... 

15 Structural analysis of network traffic flows 

Anukool Lakhina, Konstantina Papagiannaki, Mark Crovella, Christophe Diot, Eric D. K 
Nina Taft 

June 2004 A CM SIGMETRICS Performance Evaluation Review , Proceedings o 
r International conference on Measurement and modeling of compu 

systems, Volume 32 Issue 1 
Full text available: " B pdf(628.43 Additional Information: full citation , abstract , reference 
KB) index terms 

Network traffic arises from the superposition of Origin-Destination (OD) flows. Hen 
thorough understanding of OD flows is essential for modeling network traffic, and f 
addressing a wide variety of problems including traffic engineering, traffic matrix e: 
capacity planning, forecasting and anomaly detection. However, to date, OD flows 
been closely studied, and there is very little known about their properties. We prese 
analysis of complete sets of OD flow time- ... 

Keywords: network traffic analysis, principal component analysis, traffic engineer! 



Detection: On scalable attack detection in the network 
Ramana Rao Kompella, Sumeet Singh, George Varghese 

October 2004 Proceedings of the 4th ACM SIGCOMM conference on Internet 
— * measurement 

Full text available: IS pdf(405.42 Additional Information: full citation , abstract , reference 
KB) terms 

Current intrusion detection and prevention systems seek to detect a wide class of r 
intrusions (e.g., DoS attacks, worms, port scans)at network vantage points. Unfort 
the IDS systems we know of keep per-connection or per-flow state. Thus it is hardl 
that IDS systems (other than signature detection mechanisms) have not scaled to 
gigabit speeds. By contrast, note that both router lookups and fair queuing have sc 
speeds using <i>aggregation< ... 

Keywords: denial of service, scalability, security 



17 Session 9: traffic analysis: Agile and scalable analysis of network events 
Mike Fisk, George Varghese 

Nove mber 2002 Proceedings of the 2nd ACM SIGCOMM Workshop on Internet 
^ measurment 

Full text available: 1§ pdf(731 .48 Additional Information: full citation , abstract , reference 
KB) terms 

The state of the art in general purpose software systems for large-scale traffic mea 
has not progressed much past the venerable libpeap. In this paper we describe a n 
analysis system that provides a scalable, flexible system for composing ad-hoc ana 
high-speed, streming data. This agility allows researchers, network security analys 
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network operators to easily compose new analysis functions. A growing tool box of 
measurement, and statistical tools al ... 

18 Session 3: Toward understanding distributed blackhole placement 

Evan Cooke, Michael Bailey, Z. Morley Mao, David Watson, Farnam Jahanian, Danny I s 
October 2004 Proceedings of the 2004 ACM workshop on Rapid malcode 

Full text available: pdf(478.95 Additional Information: full citation , abstract , reference 
KB) terms 

The monitoring of unused Internet address space has been shown to be an effectiv 
for characterizing Internet threats including Internet worms and DDOS attacks. Be* 
are no legitimate hosts in an unused address block, traffic must be the result of 
misconfiguration, backscatter from spoofed source addresses, or scanning from wo 
other probing. This paper extends previous work characterizing traffic seen at spec 
address blocks by examining differences observed b ... 

Keywords: blackhole monitoring, blackhole placement, computer worms, globally 
threats, internet motion sensor, network security 



19 DOS protection: Hop-count filtering: an effective defense against spoofed DDo 
Cheng Jin, Haining Wang, Kang G. Shin 

October 2003 Proceedings of the 10th ACM conference on Computer and 
v. communications security 

Full text available: ^ pdf(21 3.86 Additional Information: full citation , abstract , reference 
KB) index terms 

IP spoofing has been exploited by Distributed Denial of Service (DDoS) attacks to ( 
flooding sources and localities in flooding traffic, and (2) coax legitimate hosts into 
reflectors, redirecting and amplifying flooding traffic. Thus, the ability to filter spoo 
packets near victims is essential to their own protection as well as to their avoidant 
becoming involuntary DoS reflectors. Although an attacker can forge any field in th 
he or she cannot falsify t ... 

Keywords: DDoS defense, TTL, host-based, networking, security 



20 Approximations: Sketch-based change detection: methods, evaluation, and ap 
Balachander Krishnamurthy, Subhabrata Sen, Yin Zhang, Yan Chen 
October 2003 Proceedings of the 3rd ACM SIGCOMM conference on Internet 
< measurement 

Full text available: ^ pdf(309. 23 Additional Information: full citation , abstract , reference 
KB) index terms 

Traffic anomalies such as failures and attacks are commonplace in today's network 
identifying them rapidly and accurately is critical for large network operators. The c 
typically treats the traffic as a collection of flows that need to be examined for sign 
changes in traffic pattern (eg, volume, number of connections). However, as link s| 
the number of flows increase, keeping per-flow state is either too expensive or too 
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propose building compact summaries of ... 

Keywords: change detection, data stream computation, forecasting, network anor 
detection, sketch, time series analysis 
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FloMA: Software 

Pointer Collections 

FreshMeat NetFlow projects 

A list of pointers to open-source projects related to NetFlow. 
Internet Tools Taxonomy 

On CAIDA 's Web server. Includes many traffic analysis tools. 
NetFlow Applications list 

On InMon 's Web server. 
Cisco NetFlow Ecosystem Solutions 

Contains descriptions of many applications that integrate NetFlow support, n 

commercial software with the exception of FlowScan and flow-tools . 



NetFlow 

FlowScan 

A Perl-based system to analyze and report on flows collected by flow-tool 
cf lowd , by Dave Plonka . Sample output graphs are available too, as well as 
Majordomo-driven mailing lists for announcements and general discussion (i 
is currently built on Cf low.pm . User-contributed tools based on FlowScan in 
Carrierln from Stanislav Sinyagin 

which claims to be more suitable for larger ISP/Carriers 
CUFlow from Matt Selsky and Johan M. Andersen at Columbia University 

which is an alternative graphing tool "designed to combine the featur 

CampusIO and SubNetIO". Robert S. Galloway has contributed a nice 

style document describing how it can be used. 
FlowMonitor from Johan M. Andersen at Columbia University 

monitors individual users' network usage against a bandwidth usage 
JKFlow by Jurgen Kobierczynski 

A new reporting module which is highly configurable using an XML co 

file. 

flow-tools 

Similar to cf lowd but implemented as a set of smaller tools, with the additii 
compression of the recorded data, thus capable of recording many more flov 
amount of disk space. See paper about its application for Intrusion Detectior 
also a mailing list for the package. 

-> There is a short presentation called Ohio Gigapop Traffic Measurements that 
some examples on how flow-tools can be used. 

The package is widely used, and there are quite a few user contributions, su 
flow-extract , which can be used to filter flow-tools-recorded flows throug 
specified tests; a set of "Inter.netPH contribs" by Horatio B. Bogbindero; sor 
and a P ython module by Robin Sommer. 



Stager 

Stager is a system for aggregation and presentation of network statistics fro 
tools package. Includes PostgreSQL storage of aggregated statistics, as well 
frontend. A public demo is available. 
CESNET NetFlow Monitor 
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by Jan Nejman. 
RUS-CERT tools 

The CERT of the Stuttgart University computing center (RUS-CERT) has publ 
tools that they use internally to analyze Netflow data. Some of the documen 
German. 
pmacct MM 

A set of tools to account and aggregate IP traffic. Originally based on libpc 
supports Netflow vl and v5, and should soon support Netflow v9, too. 

NEye 

NEye is a Netflow V5 collector. It logs incoming Netflow V5 data to ASCII, M- 
SQLite databases, and it makes full use of POSIX threads if available. It wor 
major platforms (Linux, Solaris, AIX, Irix, HP/UX, Mac OS X, Digital Unix, et< 
ones too (Ultrix, Nextstep, etc.). 

NetFlow2MySOL . NetFlow2XML and pcNetFlow 

Three products from a research project at the NARA Institute of Science and 
Technology. 

F.LA.V.I.O, (see also the FreshMeat page) 

A Perl-based NetFlow collector that stores flow data "into a MySQL database 
back to graph daily, weekly, monthly and yearly charts." 

CAIDA cflowd 

Rather complex system with distributed log servers. Released in 1998, this v 
open-source software system to work on NetFlow data, but doesn't seem to 
maintained anymore. CAIDA have prepared a nice FAQ which contains inter* 
information both on Cflowd and on NetFlow in general. CAIDA has announce 
no longer support cflowd, and recommend that people move to flow-tools 
Fluxoscope 

Software used for charging, monitoring, and traffic analysis at SWITCH. Incl 
own NetFlow v5 accounting receiver which aggregates traffic into multidimer 
matrices (AS/site/application). Most of the software is written in Common Li: 
UDP Samplicator 

A small program that receives UDP datagrams and redistributes them to a st 
receivers. Useful to distribute NetFlow accounting streams to multiple post-p 
programs. Is able to distribute only a specified percentage of all packets to c 
receiver. Note that recent versions added the possibility of * ' spoofing" the < 
sender's IP address. 
Panoptis 

An open-source project started by Costas Kotsokalis from GRNET, the Greek 
network. Uses NetFlow accounting data to detect (Distributed) Denial of Ser 
Status as of early May 2002: Supports NetFlow vl or v5 as inputs, with v8 ( 
aggregated) support under development. The system is currently being exte 
support attack trace-back using a mesh of detectors. 

MHTG (Multi Host Traffic Grapher) 

Uses NetFlow to generate per-host graphs of traffic for a campus network. N 
interface implemented as a Java applet which allows interaction with traffic | 
software consists of a C++ program to process NetFlow data, a Mysql backe 
frontend and the Java grapher. 

Matt's Quick & Dirty CFLOWD tutorial and scripts... 

Postprocessing scripts for cflowd data by Matthew Petach 

f low2rrd. pi 

Converts a Cisco NetFlow stream into set of RRDtool files, based on set of IP 
By Alex Pilosov. 

Slate 

An application that converts LFAP data into NetFlow records - see 
http://www.nmops.org/ . 

Ntop 

This well-known libpcap-based network usage monitor has been extended tc 
NetFlow v5 accounting data. It also supports sFlow . 

SILK MM 

SiLK, the System for Internet-Level Knowledge, is a collection of netflow too 
developed by the CERT/ NetSA (Network Situational Awareness) Team to fac 
security analysis in large networks. 
NFDUMP 

A set of tools to capture/record, dump, filter, and replay NetFlow (v5/v7) da 
filter flows according to multiple user-defined profiles. 
NfSen i8'@ 

Graphical Web-based front-end for the NFDUMP tools. Plots aggregate statis 
time, supports filtering and drilling down up to the individual flow level. 
UPFrame 

This UDP/Netflow Processing Framework is a system for real-time processing 
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packet streams such as Netflow export data. It features a general infrastrucl 
dynamically configurable plugin modules, 

n Probe 

A small self-contained program that generates NetFlow accounting data for i 
stream sniffed off one or several interfaces. Works under Unix and Windows 
environments. It can be used to build inexpensive NetFlow probes. 
fprobe (I) 

Traffic probe that can generate NetFlow data. Based on the libpcap library. F 
implementation in C. 
fprobe (II) 

Another NetFlow-generating software traffic probe. 
Softflowd 

Traffic probe that can generate NetFlow data. Based on libpcap. Comes with 
collector in Perl. Both the server (probe) and client (collector) support expor 
over IPv6. Very lean (as of June 2004) implementation in C. 
The pfflowd variant is based on OpenBSD's PF interface. 
Argus from QoSient 

This network Audit Record Generation and Utilization System can be used fo 
detection and QoS monitoring. It is also mentioned in the reference section < 
pages. 

Flowc 

"a tool for gathering, storing and analyzing traffic accounting for Cisco route 
NetFlow enabled switching (version 5). This package could be used by ISP fc 
analysis and billing procedures." 
NetFlowMet 

Starting with release 4.2, Nevil Brownlee's NeTraMet package includes NetFI 
which implements an RTFM meter fed on Netflow accounting data. 

NetFlow Accounting software from ABPSoft 

A self-contained NetFlow processing system written in C. Writes captured flo 
Postprocessor breaks up this data over peers according to a definition file. 

EHNT (Extreme Happy NetFlow Tool) by Nik Weidenbacher 

Another self-contained NetFlow accounting packet processor. The receiving [ 
functions as a server to which various kinds of clients can connect. Also writf 

Hendrik Visage's NetFlow tools 

FTP site with various tools for NetFlow postprocessing. In particular, you will 

1. a UDP duplicator (hack of samplicator to preserve the source router I 

2. a couple of hacks to cflowd for dumping the flows every %n seconds 
"f lhh" to output flowdump stuff aggregated, ready for a 
"greplsed "s/ .. /update /"Irrdtool 

MATHE 

An article (in French) about a Netflow accounting and visualization system u 
Uses an Oracle database and Perl DBI/GD scripts to generate a nice breakdc 
external traffic to departments/institutes. 

JANET Traffic Accounting Site 

An impressive application of Netflow which is used for volume-based chargin 
JANET'S U.S. connection. Other statistics at JANET were done using NeTraMc 

sFlow Toolkit 

Open source tools for analyzing sFlow data. Allows sFlow data to be used wil 
of open source tools, including: tcpdump, snort and MRTG or rrdtool. Also at 
convert sFlow packets to NetFlow packets. 

Commercial Applications 

Caligare Flow Inspector and Netlmonitor 

Analyzes NetFlow data for network monitoring as well as attack detection an 
Works with NetFlow data export version 1,5,6,7 and 9. Netlmonitor is prima 
designed for use in the United States. 

QRadar from 01 Labs 

The system can use Netflow data, but also includes its own payload-aware fl 
which produces bi-directional flow information in a format called QFIow. 

Cyclades-nQuirer 

A network traffic monitoring appliance that can generate data in both Netfloi 
formats. 

Crannog Software's Netflow Monitor 

LAN and WAN bandwidth analysis based on NetFlow data. Includes a Web in 
including Java applets to display traffic graphs and to enable drill-down. As c 
2003, runs on Microsoft Windows NT4/2000/XP. An evaluation version of Ne 
now available for download . Crannog is also said to have support for Netflow 
November 2003. 
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I-ABA and M-NTM from Tek Yazilim 

Windows-based software to analyze NetFlow (and Cisco IP Accounting) stati: 
specifically analyzes AS-to-AS traffic streams. Trial versions can be downloa> 

Network Signature BENTO 

BENTO stands for * * BGP Enabled Network Traffic Organizer" and is a high-p 
NetFlow data processor with an integrated BGP-4 implementation to facilitat 
analysis based on complex external routing relationships. Product offerings i 
software/support package and an * ' appliance" consisting of a preconfigurec 
mount server. 

IsarFlow from IsarNet 

IsarFlow is a traffic analysis tool for accounting, capacity planning, QoS mon 
application distribution within Citrix sessions based on Netflow. 

NetQoS ReporterAnalyzer 

Scalable solution for the visualziation of network traffic data 

ManageEnoine NetFlow Analyzer MM 

from AdventNet. Supports location of bottlenecks and allows drilling down tc 
that is causing them. Thirty-day evaluation license available free of charge. ' 
Windows, Linux (x86) and Solaris (SPARC). 

NetUsage from Apoapsis (formerly called WANBUS) 

The NetUsage suite strives to provide visibility of network traffic, producing i 
reports not only for network professionals, but for IT management, business 
and accounts departments. Supports network traffic monitoring, capacity pic 
business justification and cost control. 

Apogee Networks 

The NetCountant network usage- based billing system and the NetScope real 
network monitoring and performance analysis solution support NetFlow, RM( 
RADIUS, other SNMP MIBs, and * 1 Layer 7" application/content switches. 
Nazca. Billing 

Integrated billing software for "Telephony, Internet and Networks". Contains 
to many accounting systems including NetFlow. 
Arbor Networks 

Peakflow DOS detects denial-of-service attacks, and Peakflow Traffic analyze 
and routing history. Both can process NetFlow accounting data. As of Noverr 
Arbor is said to support Netflow v9. 

Cisco 

NetFlow Flow Collector/ Network Data Analyzer 

Similar to cf lowd but productized, with a (Java-based) GUI and possibly be 
possibilities of defining filters and aggregation schemes. 

•N etFlow Collector 3.6 documentation , demo version download 
•N etwork Data Analyzer 3.6 documentation , demo version (3.0) down 
NAM (Network Analyzer Module) 

This is a "NetFlow collector on a linecard" for the Catalyst 6500/7600 OSR pi 
Concord 

Network Health uses NetFlow and RMON2 accounting information ' ' to deter 
application, bandwitdth and server usage." 
Digiquant 

IMS accounting and billing system based on Oracle 9i under Unix. 
Ouallaby 

Has a Netflow application package for its PROVISO system for network perfo 
monitoring and service assurance. 
Gadgets Software & Professional Services Ltd. 

Network In telligence traffic measurement and visualisation software for GNL 
Windows (client only) platforms. Free trial available. Includes 3D visualizatio 
OpenGL. 

The author also wrote bbnf c , a * * bare-bones Netflow collector tool" that sit 
receives and displayes Netflow v5 packets. 
Hewlett-Packard 

The Smart Internet Billing Solution usage management system and well as ( 
Performance Insight for Networks (OVPI) use NetFlow accounting data as po 

InfoVista Corporation 

InfoVista Service Level Management (SLM) and conformance solution. 

InMon Traffic Server 

is a commercial, web-based application running on Linux that provides real-i 
historical analysis of flow information from sFlow and NetFlow sources. Web 
provide easy access to historical traffic matrices. Real-time top talker charts 
sources of congestion. 

Ixia 

IxTraffic integrates NetFlow accounting data with topology information from 
4 feed to allow analysis of inter-domain traffic patterns. 
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Micromuse 

Cisco Info Center USM * 1 acquires, analyzes, displays and exports Internet u 

NARUS 

OSS Mediation solutions 
NetScout 

nGenius Performance Manager * * is a complete solution for proactive monito 
troubleshooting, capacity planning, and Voice over IP (VoIP) monitoring". 
Portal Software 

Infranet real-time customer management and billing software. 
RODOPI 

Billing software for ISPs. 

XACCT 

Commercial vendor of accounting and billing solutions with the ability to pro* 
(among others) Netflow accounting data 
LoriotPro 

A network monitoring ("supervision" in franglais) system that includes a Net 



Currently, there are a few implementations of RTFM meters: 

NeTraMet and NetFlowMet by Nevil Brownlee of the University of Auckland. 

NeTraMet is based on traffic snooping and runs on Intel PCs and several typ« 
workstation. NetFlowMet gathers Netflow accounting information from (Ciscc 
and makes that available in RTFM-compatible. 

IBM 

IBM is supposed to have implemented the RTFM framework, but I couldn't fi 
references to this work. 

For updates and additions to this page, please contact simon@switch.ch . 
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